Re: Securing Internet mail at the MTA level

[droelke@rdxsunhost.aud.alcatel.com (Daniel R. Oelke)]

> > It's also clear to me that for E-mail, you don't want transport level
> > security for the system; you want "object" security, that is, digital
> > signature and encryption of the mail message.
> 
> Yup. This is a frequently missed point. Link security and object
> security have different uses at different times -- and people confuse
> them way too often.
> 

With the question of "Do you want object security or link security
for email?"  The answer is (as with all security questions) "What
is your threat model?"

For example:  Your company does not have mailreaders capable
of doing encryption (at least not easy enough for average users).
Your supplier has the same situation.  You have accepted 
this fact for the time being, and trust that your employees
won't tinker with the email if they want their job for long.

However, the email you send to your supplier and vice-versa 
should not go over the Internet unencrypted as it potentially 
contains sensitive information. 

So, a link-level encryption that the two co-operating 
sys-admins can set up would be a good solution.  This would
be easier to set up and maintain than a encrypted router tunnel
through the net, and solve your problem.

Of course, I'll submit that object security on email would 
be preferable, but that might not be pratical right now.

Dan
------------------------------------------------------------------
Dan Oelke                                  Alcatel Network Systems
droelke@aud.alcatel.com                             Richardson, TX